Mercurial > hg > nginx-quic
changeset 6396:dcfe355dfda4
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.
Found by Coverity (CID 1352150).
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Fri, 12 Feb 2016 16:36:20 +0300 |
parents | ba3c2ca21aa5 |
children | 78f8ac479735 |
files | src/http/v2/ngx_http_v2_huff_encode.c |
diffstat | 1 files changed, 6 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2_huff_encode.c +++ b/src/http/v2/ngx_http_v2_huff_encode.c @@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, siz buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; } + if (pending == 0) { + return hlen; + } + buf |= (ngx_uint_t) -1 >> pending; pending = ngx_align(pending, 8); @@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, siz buf >>= sizeof(buf) * 8 - pending; - while (pending) { + do { pending -= 8; dst[hlen++] = (u_char) (buf >> pending); - } + } while (pending); return hlen; }